Method and apparatus for switching access between mobile networks

ABSTRACT

A method and apparatus for switching access between mobile networks for a mobile terminal comprising a first and a second radio device capable of communication with a first and a second mobile network, respectively. The second mobile network has priority over the first mobile network. A first connection is authorised and established between the firstradio device and the first mobile network. When it is detected that the mobile terminal moves into a coverage area of the second mobile network, a second connection is authorised and established between the second radio device and the second mobile network based on the authorising made for the first connection with the first mobile network. Both connections can then rely on the authorisation of the first connection.

This application is the US national phase of international applicationPCT/SE02/02379 filed 18 Dec. 2002, which designated the US.PCT/SE02/02379 claims priority to SE Application No. 0104325.6 filed 20Dec. 2001. The entire contents of these applications are incorporatedherein by reference.

TECHNICAL FIELD

The present invention relates generally to a method and apparatus forswitching access for a mobile terminal between overlapping mobilenetworks. In particular, the handover procedure between mobile networksis facilitated.

BACKGROUND OF THE INVENTION AND PRIOR ART

Mobile access networks are often designed as cellular networks includinga plurality of base stations being connected together by means ofswitching nodes such as Base Station Controllers (BSCs) and/or MobileSwitching Centres (MSCs). Each base station provides radio coverage overan area known as a cell, for communication over radio channels withmobile terminals located in the cell. When a communicating mobileterminal moves across a cell border, its radio connection switchesbetween the corresponding base stations by means of a “handover” or“handoff” procedure. Each mobile network operator is allocated a certainlimited radio frequency spectrum for transmissions, and efforts are madeby network designers to provide a high traffic capacity within theallocated spectrum.

When setting up radio connections with mobile terminals, standardisedcommunication protocols and radio channels are used, such as thosedefined for GSM, TDMA, PDC, UMTS, etc, for transmission of speech and/ordata over the air interface as well as within the network, providing acertain data rate. Digital circuit switched radio channels of today,e.g., according to the GSM standard, are primarily designed forcommunication of encoded speech, providing data rates of less than 10kbit/s.

Existing GSM networks are currently being extended with packet basedGPRS (General Packet Radio Service) technology, providing packetswitched radio communication with enhanced data rates ranging between 10and 120 kbit/s for mobile terminals having GPRS capabilities. Furtherswitching nodes, such as Gateway GPRS Service Nodes (GGSNs) and ServingGPRS Service Nodes (SGSNs), are included in GPRS networks. GSM/GPRSnetworks and other cellular networks typically provide radio coverageover large areas, often covering entire countries, more or less.

Currently, enhanced wireless access technologies are emerging having fargreater data rates, such as WLAN (Wireless Local Area Network), coveringmuch smaller areas and providing so-called “spot coverage” overdistances around 100 meters. WLAN stands for a plurality of high-speedwireless technologies, e.g., employing frequency hopping andspread-spectrum radio technologies not further discussed here, forpacket based radio communication with data rates ranging betweenapproximately 2-54 Mbit/s. Radio channels are used in freely availablefrequency bands, such as 2,4 GHz and beyond, requiring no operatorlicence.

A WLAN may use one or more radio stations as access points to whichmobile terminals having WLAN capabilities may be connected overpredefined radio channels. A WLAN radio station may be directlyconnected to a extension of a fixed LAN (Local Area Network) which inturn, through various gateways and/or routers, may provide access to theglobal Internet or to a company intranet. In the case of Internet, aservice is normally utilised from a public telecommunication operator.

WLAN typically provides a limited spot coverage geographicallyoverlapping the larger coverage of cellular networks, such as GSM/GPRSnetworks. The cellular networks can offer connectivity in urban areas aswell as in rural areas, whereas WLAN can offer high speed connections insmall hot spot areas. WLAN for public access is currently used mainly inairports, hotels and conference venues, providing fast Internet accessand other data services to visitors.

Today, work is in progress for developing a multitude of new mobileservices, which will be possible to employ in particular as newtechnologies with greater capacity and higher data rates are introduced.The contents of the new services include voice, text, images, audiofiles and video files in various different formats and combinations.Internet browsing is also becoming very popular, and in recent years,the wireless and Internet domains are converging.

More sophisticated mobile terminals are also becoming available on themarket, provided with functionality matching the new services.Furthermore, it is possible to combine different mobile terminals. Forexample, a portable laptop computer may be connected to a mobile phoneby means of a cable or a wireless interface, such as a Bluetooth radiointerface. The mobile phone can then be used as a radio unit providingaccess over a cellular network, such as a GSM/GPRS network, and thelaptop is utilised as an enhanced user interface, whereas the mobilephone acts as a “modem”. Laptop computers may also be provided with aradio device, e.g., implemented as a PCCARD or the like, for radioaccess to a WLAN. Alternatively, plural radio devices may be integratedin a single terminal, e.g., a laptop computer, for radio communicationwith different networks, such as a WLAN and a GSM/GPRS network.

For users having a mobile terminal equipment capable of radiocommunication over multiple access networks, either as a singleintegrated device or as plural interconnected devices, it is desirablethat the mobile terminal is automatically connected to the accessnetwork providing the highest data rates, if more than one network iscurrently available. The user will then benefit from the best availablecommunication possibilities in any given location. For example, a userhaving a laptop with WLAN capabilities interconnected with a mobilephone with GSM/GPRS capabilities, will want to switch access to a WLANwhen entering its coverage area, instead of being connected to the morelimited GSM/GPRS network.

In applicant's own PCT application WO 01/35585, it is described amechanism for selecting the “best” and optimal network connection, whenmore than one network is available to one or more end devices. Theselection is made with respect to factors such as available bandwidth,charge rate, quality, individual preferences, etc.

An access switch between two networks requires that a new radioconnection is established with the new network, involving the creationof a new communication session context. The present invention aims atfacilitating the switching of access between different networks withmaintained security.

Creating a communication session context includes performing certainpre-defined routines for authentication, authorisation and accounting,sometimes referred to as AAA for short. Cellular networks employ AAAroutines according to their standardised communication protocols, whichare regarded as having a fairly high level of security. For example,each mobile phone may be provided with a secret identity code or thelike which is known in the network and is used for authentication and/orfor generating encryption keys. The identity code may be stored in asmart card, such as a SIM (Subscriber Identity Module) card as used inGSM, which is movable between different terminals.

A WLAN connection may be secured by means of a certificate stored in theterminal, which is regarded as trustworthy and is used to verify theidentity of the user or subscriber. The certificate may also be used forgenerating various encryption keys and/or session keys to authenticatethe terminal and to protect an ongoing session according to well-knowntechniques, which will not be described here further. The certificatemay be issued by a certification authority and may comprise one or moresecret codes. However, such secret codes, certificates and encryptionkeys are cumbersome to administrate and distribute, in particular tosubscribers of the general public.

In addition to using stored codes and certificates in the terminal, someservices, e.g., Internet services, require a login procedure involving ashared secret, normally a user ID/password combination.

In present solutions, when a mobile terminal with multiple capabilitiesswitches from a first network to a second network, it is a problem thatthe session context of the first connection is lost and a new sessioncontext must be established with the second network, involving a newauthentication procedure, among other things. This is the case when, forexample, switching between a GSM/GPRS network and a WLAN in eitherdirection. The new session context may further determine different userinterface features, available services and charge rates, as dictated bythe second network.

Establishing a session context is a fairly complex procedure, and if twodifferent networks are to be accessed, two separate authenticationmechanisms having a certain level of security are required, eachinvolving the distribution and storing of secret codes and/orcertificates. Further, both networks need one or more nodes withprotected links for performing authentication routines.

It is desirable to reduce the handling of shared secrets between asubscriber and network operators, at the same time maintaining security.It is also desirable that the amount of exchanged information andprocessing work are minimised when switching between networks forreducing the load on transmission resources and to reduce delays.

SUMMARY OF THE INVENTION

The object of this invention is to reduce or eliminate the problemsoutlined above. This object and others are obtained by providing amethod and apparatus for switching access for a mobile terminal betweenmobile networks. The mobile terminal comprises a first radio devicecapable of communication with a first mobile network and a second radiodevice capable of communication with a second mobile network. The secondmobile network has priority over the first mobile network, for exampleby offering a higher transmission bitrate, a higher quality and/orenhanced services.

According to the inventive method, an access request is made to thefirst mobile network by the mobile terminal using the first radiodevice. A first connection is authorised and established between thefirst radio device and the first mobile network. Payload data may thenbe communicated over the first connection with the limitedbitrate/quality/services as offered by the first mobile network. Later,it is detected that the mobile terminal moves into a coverage area ofthe second mobile network. A second connection is then authorised andestablished between the second radio device and the second mobilenetwork based on the authorising made for the first connection with thefirst mobile network.

When authorising the second connection, authentication information isexchanged between the first radio device and an authentication unit inthe first mobile network, which authentication information is used bythe second radio device for accessing the second mobile network. In thisway, authorisation of the second connection relies on the authorisationmade for the first connection, thereby substantially facilitating theaccess switch from the first to the second network. The security levelof the first network is also maintained and utilised for the secondmobile network.

The exchanged authentication information may comprise login informationand one or more encryption keys, according to a predeterminedauthentication agreement between the first and second mobile networks.Payload data communicated between the second radio device and the secondmobile network in the second connection may then be protected by the oneor more exchanged encryption keys.

The present invention further embraces a mobile terminal comprising afirst radio device capable of communication with a first mobile networkand a second radio device capable of communication with a second mobilenetwork, wherein the second mobile network has priority over the firstmobile network. The first radio device includes means for making anaccess request to the first mobile network and means for authorising andestablishing a first connection between the first radio device and thefirst mobile network. The first radio device further includes means forauthorising a second connection between the second radio device and thesecond mobile network based on the first authorised connection with thefirst mobile network, when it is detected that the mobile terminal movesinto a coverage area of the second mobile network.

The present invention further embraces an authentication unit forauthenticating a mobile terminal comprising a first radio device capableof communication with a first mobile network and a second radio devicecapable of communication with a second mobile network, wherein thesecond mobile network has priority over the first mobile network. Theauthentication unit includes means for authorising and establishing afirst connection between the first radio device and the first mobilenetwork in response to an access request from the first radio device.The authentication unit further includes means for exchangingauthentication information with the first radio device when it isdetected that the mobile terminal moves into a coverage area of thesecond mobile network, wherein the exchanged authentication informationis used by the second radio device for accessing the second mobilenetwork.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will now be described in more detail and withreference to the accompanying drawings, in which:

FIG. 1 is a schematic view of a communication scenario in which theinvention may be implemented.

FIG. 2 is a schematic signalling diagram of a procedure for switchingbetween two networks.

DESCRIPTION OF PREFERRED EMBODIMENTS

FIG. 1 is a schematic view of an exemplary communication scenario inwhich the present invention may be implemented. 100 denotes a mobileterminal equipment generally comprising a first radio device 102 and asecond radio device 104 for communication with first and second mobileaccess networks 106 and 108, respectively. By way of example, the firstradio device 102 may be a mobile phone for radio communication with acellular network 106, and the second radio device 104 may be a laptopcomputer equipped with a PCCARD or the like for radio communication witha WLAN 108. The mobile phone 102 and the laptop 104 are interconnectedby means of a communication link, such as a cable, a Bluetooth interfaceor an infrared link. The functionality of both the mobile phone 102 andthe laptop 104 may therefore be used, regardless of which network isconnected.

It should be understood that the mobile terminal 100 is only logicallyrepresented in FIG. 1 as two radio devices 102, 104, but can be designedin many alternative ways within the scope of the present invention. Forexample, the mobile terminal 100 may instead be one integrated unit,such as a single laptop with a PCCARD or a single mobile phone, eitherbeing capable of radio communication with both networks 106 and 108.

Both networks 106, 108 are further connected to a backbone network 110,which may be the Internet, an intranet, a fixed public or privatenetwork, or any combination of such networks. A server 112 is connectedto the backbone network 110, providing service to the mobile terminal100 in this case.

The first network 106 covers a wide geographic area, and the secondnetwork 108 covers a limited overlapping spot area, and can provide ahigher data transmission rate than the first network 106. It istherefore preferred that the mobile terminal 100 is connected to thesecond network 108 when being within the spot coverage area of thesecond network 108. The second network 108 may also provide a higherquality or enhanced services. Generally speaking, the second network 108has priority over the first network 106.

The first network 106 comprises an authentication unit 114 having accessto various authentication information which is used for authenticatingthe mobile terminal 100. The authentication information is stored in adatabase, such as a HLR (Home Location Register), not shown, and mayinclude identity codes and/or certificates matching similar informationstored in the terminal or in a SIM card or the like inserted therein.

An exemplary procedure will now be described for accessing the firstnetwork 106 and then switching access to the second network 108, withreference to a signalling diagram in FIG. 2. Corresponding elements aredenoted with the same reference numbers as in FIG. 1.

Firstly, the mobile terminal 100 makes access to the first network 106using the first radio device 102, in a first step 200. When setting upthe connection, a session context is established, including anauthentication procedure. The session context may further includesetting parameters such as user interface features, service features, acharge rate and communication protocols, including a data rate.

The authentication procedure involves exchanging of secret codes and/orcertificates between the mobile terminal 100 and the authentication unit114, in a step 202, according to a routine which is predefined in thefirst network 106. For example, if the first network 106 is a GSM/GPRSnetwork, a SIM card in a mobile phone is used. Different network typeshave their own specific predefined authentication procedures as dictatedby standardised protocols, which will not be described here further.

When the session context is created and a connection is authorised, themobile terminal 100 may begin to communicate payload data over the firstnetwork 106, in this case with a server 112 providing service to themobile terminal 100, in a step 204. The data rate is then limited to thebitrate offered by the first network 106. Since the two radio devices102, 104 are interconnected, the functionality and user interface ofboth may be used by a user, as described above. For example, an IP(Internet Protocol) connection may be established between a mobile phone102 and a packet core network, not shown, in the first network 106,which IP connection may be available to a laptop computer connected tothe mobile phone 102.

If the mobile terminal 100 moves into the coverage area of the secondaccess network 108, this can be detected automatically in a step 206,preferably by means of the second radio device 104. The presence of themobile terminal 100 in the coverage area of the second network 108 canin fact be detected in different ways. Three exemplary alternatives aregiven below:

-   1. The second network 108 transmits an identification signal which    the mobile terminal 100 can detect in the second radio device 104,    such as a PCCARD or the like installed in a laptop computer. For    example, in a WLAN, access points continuously transmit an    identifier, typically named ESSID (Extended Service Set Identifier)    and/or SSID, which the second radio device 104 can receive and    recognise as identifying the WLAN.-   2. The second radio device 104 transmits an identification signal    which is detected by the second network 108, which then may notify    the radio device 104 accordingly.-   3. A locating function determines that the mobile device 100 is    located within the second network 108. The locating may be performed    by a GPS (Global Location System) unit, or by a function in the    first network 106, such as triangulation. Such locating functions    are currently used for, e.g., transmitting location dependent    messages to mobile terminals and for searching purposes. The GPS    unit or the first network 106 may then notify the mobile terminal    100 accordingly.

When the availability of the second network 108 to the mobile terminal100 has been detected, as described in step 206, a new connection withthe second network 108 is authorised, based on the authorising for theconnection with the first network 106 made in step 202. The first radiounit 102 and the authentication unit 114 then exchanges information, ina step 208, for authorising and establishing the new connection with thesecond network 108.

The first radio unit 102 may begin by sending an access request. Theauthentication unit 114 then replies by sending login information, suchas a login identity and a temporary password, which the mobile terminal100 can use when accessing the second network 108 by means of the secondradio unit 104. The authentication unit 114 may also send one or moreencryption keys to be used during the login procedure and/or during thecommunication session. The first network 106 has a predeterminedauthentication agreement with the second network 108, valid for themobile terminal 100, including the exchanged login information andencryption keys, which are thus already known in the second network 108.

The second network 108 and the second radio unit 104 then exchangesvarious messages for establishing a new session context, in a step 210,using the login information and encryption keys obtained in step 208.

In this way, the authentication done with the first network 106 in step202 is utilised for authorising the new session with the second network108 in step 210. For example, the second network 108 may comprise asubscriber administration server having the agreed login information andencryption keys stored therein. The subscriber administration server ofthe second network 108 may be integrated with the authentication unit114 of the first network 106 in one server common to both networks 106,108.

Hence, the high level of security offered in the first network 106 isutilised by the second network without requiring its own administrationand distribution of secret codes and certificates. The authenticationprocedure in step 210 is also facilitated by reducing the amount ofexchanged information, thereby also reducing delays and transmissionload.

When the new session context is established and a connection with thesecond network 108 is authorised, the mobile terminal 100 maycommunicate payload data with the server 112 by means of the secondradio device 104, in a step 212. In this case, the data rate is thenincreased to the higher bitrate offered by the second network 106.Further, the communicated payload data may be protected by encryptionkeys issued by the authentication unit 114 of the first network 106during step 208. The access switch over to the second network 108 isfully automatic, requiring no efforts from a user.

If the mobile terminal 100 moves out of radio coverage of the secondnetwork 108, the connection breaks down in a step 214, and the sessionautomatically reverts to the first network 106 by means of the firstradio device 102, in a step 216. Since this connection was alreadyauthorised in step 202, no further authentication actions are required.

In practice, the invention may be implemented in a computer program foruse in the mobile terminal 100, and in a computer program for use in theauthentication unit 114.

By using the described invention, access switching between two networksis facilitated with maintained security, without requiring manualefforts from a user. Also, delays and transmission load are reduced.

While the invention has been described with reference to specificexemplary embodiments, the description is only intended to illustratethe inventive concept and should not be taken as limiting the scope ofthe invention. Various alternatives, modifications and equivalents maybe used without departing from the spirit of the invention, which isdefined by the appended claims.

1. A method of switching access for a mobile terminal between a firstmobile network and a second different mobile network, the mobileterminal comprising a first radio device and a second radio devicecapable of communication with the first and second mobile networks,respectively, wherein the first and second radio devices areinterconnected by a communications link and the second mobile networkhas priority over the first mobile network, the method comprising: A)making an access request to the first mobile network by the mobileterminal using the first radio device, B) authorizing and establishing afirst connection between the first radio device in the mobile terminaland the first mobile network, C) when the mobile terminal is detected aspresent in a coverage area of the second mobile network, the first radiodevice of the mobile terminal receiving authentication information froman authentication unit in the first mobile network, wherein the receivedauthentication information includes one or more encryption keys andlog-in information from the authentication unit, and D) authorizing andestablishing a second connection between the second radio device in themobile terminal and the second mobile network based on the authorizingstep B) for the first connection with the first mobile network, whereinthe second radio device uses said one or more encryption keys toestablish the second connection and to protect payload data communicatedover the second connection, and wherein the first mobile network has apredetermined authentication agreement with the second mobile network sothat the authentication information and encryption keys are alreadyknown in the second network prior to authorizing and establishing thesecond connection.
 2. A method according to claim 1, wherein the mobileterminal presence in the coverage area of the second mobile network isdetected by the second radio device detecting an identification signaltransmitted by the second mobile network.
 3. A method according to claim1, wherein the mobile terminal presence in the coverage area of thesecond mobile network is detected by the second mobile network detectingan identification signal transmitted by the second radio device.
 4. Amethod according to claim 1, wherein the mobile terminal presence in thecoverage area of the second mobile network is detected by a locatingfunction determining that the mobile terminal is located within thecoverage area of the second mobile network.
 5. A method according toclaim 1, wherein the first radio device is a mobile phone, the firstmobile network is a GSM/GPRS network, the second radio device is aPCCARD in a laptop computer being connected to the mobile phone, and thesecond mobile network is a WLAN.
 6. A method according to claim 1,wherein the first mobile network covers a wide geographical area, andthe second mobile network covers a limited overlapping spot area.
 7. Themethod according to claim 1, wherein the first mobile network has anauthentication agreement with the second mobile network valid for themobile terminal.
 8. Mobile terminal apparatus comprising a first radiodevice and a second radio device which are capable of communication witha first mobile network and a second different mobile network,respectively, wherein the first and second radio devices areinterconnected by a communications link and the second mobile networkhas priority over the first mobile network, the first radio device inthe mobile terminal comprising electronic circuitry configured to: makean access request to the first mobile network; authorize and establish afirst connection between the first radio device in the mobile terminaland the first mobile network; when the mobile terminal is detected aspresent in a coverage area of the second mobile network, receiveauthentication information with an authentication unit in the firstmobile network, wherein the received authentication information includesone or more encryption keys and log-in information from theauthentication unit, and the second radio device in the mobile terminalcomprising electronic circuitry configured to: authorize and establish asecond connection with the second mobile network by using theauthentication information exchanged between the first radio device andthe authentication unit in the first mobile network, and use said one ormore encryption keys to establish the second connection and to protectpayload data communicated over the second connection, and wherein thefirst mobile network has a predetermined authentication agreement withthe second mobile network so that the authentication information andencryption keys are already known in the second network prior toauthorizing and establishing the second connection.
 9. Mobile terminalapparatus according to claim 8, wherein the second radio deviceelectronic circuitry is further configured to detect an identificationsignal transmitted by the second mobile network.
 10. Mobile terminalapparatus according to claim 8, wherein the first radio device is amobile phone capable of communication with a GSM/GPRS network, and thesecond radio device is a PCCARD in a laptop computer capable ofcommunication with a WLAN.
 11. The mobile terminal apparatus in claim 8,wherein the first mobile network has an authentication agreement withthe second mobile network valid for the mobile terminal.
 12. Anauthentication unit for authenticating a mobile terminal comprising afirst radio device and a second radio device capable of communicationwith a first mobile network and a second different mobile network,respectively, wherein the first and second radio devices areinterconnected by a communications link, the second mobile network haspriority over the first mobile network, and wherein the first mobilenetwork has an authentication agreement with the second mobile networkvalid for the mobile terminal, the authentication unit comprisingelectronic circuitry is configured to: authorize and establishing afirst connection between the first radio device in the mobile terminaland the first mobile network in response to an access request from thefirst radio device, and to exchange authentication information with thefirst radio device of the mobile terminal when the mobile terminal isdetected as present in a coverage area of the second mobile network,wherein the authentication information includes one or more encryptionkeys and log-in information from the authentication unit, wherein theexchanged authentication information can be used by the second radiodevice in the mobile terminal for authorizing and establishing a secondconnection between the second radio device and the second mobilenetwork, wherein said one or more encryption keys can be used by thesecond radio device to establish the second connection and to protectpayload data communicated over the second connection, and wherein thefirst mobile network has a predetermined authentication agreement withthe second mobile network so that the authentication information andencryption keys are already known in the second network prior toauthorizing and establishing the second connection.
 13. Anauthentication unit according to claim 12, wherein the authenticationunit belongs to the first mobile network.
 14. An authentication unitaccording to claim 13, wherein the authentication unit also belongs tothe second mobile network.